Question

I can launch ec2-instance with iam-role in management console. But how do i launch ec2-instance with iam-role from aws-ruby-sdk?

iam-role "    test"'s Policy is here
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"

This was the result.

/var/lib/gems/1.8/gems/aws-sdk-1.7.1/lib/aws/core/client.rb:318:in `return_or_raise': 
You are not authorized to perform iam:PassRole with arn:aws:iam::xxxxxxxxxxx:role/test 
(AWS::EC2::Errors::UnauthorizedOperation)

Answer 1

The credentials you are using from your Ruby script do not have permission to launch an instance using the 'test' IAM Role. You need to modify the policy for this user, and grant it the IAM : PassRole permission, For e.g:

{
  "Statement": [{
      "Effect":"Allow",
      "Action":"ec2:RunInstances",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"arn:aws:iam::xxxxxxxxxxx:role/test"
    }]
}

This is a security feature - it is possible to mis-configure IAM to allow privilege escalations, so AWS uses a "secure by default" policy.

You could also use this policy to allow your users to launch instances using any IAM role - but make sure you are aware of security implications before doing this:

  {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"*"
    }]